Users, Groups and Roles

Authentication & Authorization

Self-Service supports different means of authentication for users.

We support OAuth2, SAML, LDAP and other protocols via Keycloak.

This means the user can use its own corporate credentials to get access. As soon as the user has logged in, authorization is done by Self Service by a combination of a RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) system.

Roles & Permissions

In a DevOps culture, applications, topics, schemas and environments are maintained by the teams responsible for those entities. That is exactly why ownership of resources in Self Service is based on a group (team).

The AUTHOR permissions are always necessary to create a resource and assign an owner.

The Tenant Admin can restrict who can Update or Deploy owned resource by controlling the Update and Deploy Owned Resources settings from the Tenant settings page.

All Group Members Permissions (Default)

When tenant settings for Update and Deploy Owned Resources is set to All Group Members, the group ownership is used to determine the user’s permissions.

Users with ADMIN rights on specific resources can create, update and deploy resources even though they are not the owner. For an overview, see the table below.

Table 1. Permissions for Applications, Topics, Environments and Schemas when `Update and Deploy Owned Resources = All Group Members`
	View	Create	Update/Deploy	Delete
Authenticated User	✅	❌	❌	❌
Author Roles: Application Author Topic Author Environment Author Schema Author	✅	✅	❌	❌
Owner	✅	✅	✅	✅
Admin Roles: Application Admin Topic Admin Environment Admin Schema Admin Tenant Admin (see below)	✅	✅	✅	✅

Only Resource Managers Permissions

To restrict access to resources, a new Tenant setting allows for selection of Resource Managers. This setting can be toggled in the Tenant settings page.

When tenant settings for Update and Deploy Owned Resources is set to Only Resource Managers, the Resource Managers of the owning group are able to perform update and deploy operations.

Users with ADMIN rights on specific resources can create, update and deploy resources even though they are not the Resource Managers of the owning group.

For an overview, see the table below.

Table 2. Permissions for Applications, Topics, Environments, and Schemas when `Update and Deploy Owned Resources = Only Resource Managers`
	View	Create	Update/Deploy	Delete
Authenticated User	✅	❌	❌	❌
Author Roles: Application Author Topic Author Environment Author Schema Author	✅	✅	❌	❌
Owner	✅	❌	❌	❌
Resource Manager	✅	✅	✅	✅
Admin Roles: Application Admin Topic Admin Environment Admin Schema Admin Tenant Admin (see below)	✅	✅	✅	✅

Application Permissions

When a user has Edit permissions on an Application, the user has the following additional permissions:

Configure application principal

Topic Permissions

When a user has Edit permissions on a Topic, the user has the following additional permissions:

Viewing Topic Messages

Access to the messages of a topic is granted based on the following permissions:

If you are a topic owner: you can see the messages on topics you own
If you are a tenant admin: you can see the messages on any topic in any environment
If you are an application owner of a connected application: you can see the messages on any topic, in authorized environments

Environment Permissions

When a user has Edit permissions on an Environment, the user has the following additional permissions:

Configure a topic in this environment

Schema Permissions

When a user has Edit permissions on a Schema, the user has the following additional permissions:

Upload a new version of the existing Schema
Transfer ownership of an existing Schema to another group
Delete the existing Schema or its Schema Version

Default Roles

By default, whenever a user logs in to the Self-Service for the first time, the user receives by default the following roles:

Application Author
Environment Author
Topic Author

Other Resources

The most frequently modified resources such as Applications, Topics, Environments have now been covered. There are additional resources that are not visible for most users, but can be administered as well, such as:

Instance
Cluster
Group

Group Permissions

See Groups

Tenant permissions

For administering any resource within a tenant, the role "Tenant admin" has been created. This role is intended for people managing the Self Service installation within a company. Anyone with the role Tenant admin has admin permissions for all resources mentioned above, including some additional resources:

Users: assign roles, modify, delete users
Groups: create, modify and delete groups
Tenant: modify the Tenant Profile, such as Admin contacts, logo

Instance And Cluster Permissions

For modifying the Instance and Cluster resources, the role Super Admin has been added.This user has the following permissions:

Cluster: create, update, delete
Instance: create, update, delete, synchronize instance, synchronize environment

Users

Editing A User

Click the Users menu item
Click on a user to visit the User’s detail page
Click the Edit user button and you see the below page:

Filling or changing any information you need and clicking the Update User button updates the user’s information.

Disable User Notifications

This setting is only available when Tenant admin has enabled notifications

Go to the User’s detail page
Click the Edit user button and you see the below page:

Toggle Enable notifications for Axual to disabled.

Click on the Update User button. On the bottom right

By default, notifications for the user are enabled. If notifications are disabled, the user will stop receiving emails about various events related to the owned applications and topics, even if the notifications are enabled in tenant notification settings.

Deleting a User

Go to the User’s detail page
Click the Edit user button and you see the below page:
Click on the Delete User button at the bottom left of the page and a confirmation modal pops up.
After clicking on Confirm your user is deleted.

Groups

Creating a Group

Click the Groups menu item
Then click on the Add Group button. You will see a page as below:

After filling out the form and saving it, you have created your new group.

Editing a Group

Click the Groups menu item. You will see the list of existing groups.
Click on the group you want to edit. It will take you on the Group’s detail page.
Click on the Edit Group button. On the bottom right, you see the below page:

Fill in or change any information you need and click the Save user group button to update the group’s information.

Deleting a Group

Deleting a group can only be done if the group is not owning any entities(applications, environments, topics).

Visit the Group Detail page
Click the Edit Group
There is a Delete Group button on the bottom-left of the page. The button is active if all constraints are met and deletion is possible. Clicking the button, a confirmation modal opens, as below:

Clicking on Confirm will delete the group.
If all constraints are not met, the Delete Group button is disabled and on hover, a tooltip is shown with information on how many applications, environments and topics this group owns, as below:

Adding Users To a Group

You can add users to a group from the Add Group page or from the Edit Group page. The forms in these pages have a Members section as below:

You can add a user by clicking on the Add Member button and choosing a user from the dropdown.

Removing Users From a Group

You can remove users from a group from the Edit Group page. The form in that page has a Members section as the one above. You can remove a user by clicking on the button with the bin icon.

Making a Group Member Manager of the group

A Group Manager can edit this group, including adding or removing users, other group managers and resource managers.

Adding a Group Manager To a Group

You can designate group managers for a group either from the Add Group page or the Edit Group page. To assign a group manager, click the toggle checkbox next to the users you wish to make group managers.

A Group Manager has the authority to edit the group, including adding or removing users, other group managers and resource managers. If a group lacks a group manager, only a tenant admin can add or remove users, group managers and resource managers.

Making a Group Member Resource Manager of the group

If the tenant setting is set to Only Resource Managers, the option to select Resource Manager will be available to both Tenant Admin and Group Managers.

The Tenant Admin can assign Resource Managers to any group, while Group Managers can assign them within their own groups.

If the setting is set to All Group Members, no Resource Manager selection will be required.

Adding a Resource Manager to a Group

You can designate resource managers for a group either from the Add Group page or the Edit Group page. To assign a resource manager, click the toggle checkbox next to the users you wish to make resource managers.

Designate resource manager for the group

Viewer Groups

The Viewer Groups define which Groups are authorized to View all Resource Configurations, regardless of ownership and visibility.

Owners can still perform the same activities as before.The Viewer Groups are intended only to provide an additional set of users with VIEW access.

For example, in case we want to give only view access to all configurations defined in a Production Environment, we will require to only set the Viewer Groups of the Production Environment, then all members of any of the Viewer Groups will be able to see all Topic Configurations and Application Authentications defined in the Production Environment.

Environment Viewer Groups

Members of the Environment Viewer Groups can view all Topic Configurations and Application Authentications within the Environment only if the Topics and the Applications do not have Viewer Groups defined.

If a user is in both the Environment’s Viewer Groups and the Topic’s Viewer Groups, they can see the Topic Configuration for that Topic in that Environment.

If a user is in both the Environment’s Viewer Groups and the Application’s Viewer Groups, they can see all Application Authentications for that Application in that Environment.

To add an Environment Viewer Groups, please select the groups in Add Environment or Edit Environment view:

Application Viewer Groups

If Viewer Groups are defined only for the Application, members can view all Application Authentications for that Application across all Environments.

If Viewer Groups are defined only for the Environment, members can view all Applications' Application Authentications defined in that Environment.

If both the Environment and the Application have Viewer Groups, the user must belong to both Viewer Groups to view the Application Authentications for that Application in that Environment.

To add an Application Viewer Groups, please select the groups in Add Application or Edit Application view:

Topic Viewer Groups

If the Viewer Groups are defined only for the Topic, members can view all Topic Configurations for that Topic across all Environments.

If the Viewer Groups are defined only for the Environment, members can view all Topics' Topic Configurations defined in that Environment.

If both the Environment and the Topic have Viewer Groups, the user must belong to both Viewer Groups to view the Topic Configuration for that Topic in that Environment.

To add a Topic Viewer Groups, please select the groups in Add Topic or Edit Topic view: